Cyber Security | Data Security

Top 5 Myths about HTTPS and SSL

We have talked about the HTTPS and why it is needed in previous post. Website owners are responsible to secure the communication channel while connecting to their clients.

Though HTTPS and SSL certificates offer data protection and integrity, many sites are still reluctant to adopt it. There are many misconceptions about cost, performance etc. which is our topic of this post. So let’s get started.

Here is the list of top common myths about HTTPS and SSL certificates:

1. SSL Certificates are expensive

Traditionally you have to purchase a SSL certificate. It is fine for big organizations and banks. Although this cost has come down over the years, small business and individual sites may not see a value serving the content securely. How do they justify this additional cost?

With some research and study, SSL certificates can be bought according to your budget. There are some platforms which even offer free SSL certificates, we will talk about it our next item.

2. HTTPS/SSL is complex

Implementing SSL involves many tasks which primarily include –

  • Obtain and maintain a SSL certificate
  • Configure and install on server
  • Renew an existing certificate
  • Mange this annually – Time!

This might not be a big barrier for big companies and system administrators, but surely seem to be a complex work for a normal user.

Both cost and complexity problems can be solved easily with the help of services like Let’s Encrypt and Cloudflare. These sites offer free and automated way for managing SSL. Please have a look at this image showing growth of SSL at Let’s Encrypt.

Let’s Encrypt Growth (Image taken from https://letsencrypt.org/)

3. HTTPS is required only for specific sites

You might have heard that only large organizations with security compliance need SSL certificates. Another misunderstanding is that HTTPS is only required for sites handling personal data and sensitive information like social media platform, e-commerce, banking etc.

It is not true today and HTTPS is equally important for all sites whether it handles sensitive data or not. It is a new norm for the modern web and helps in efficient working of the site. It also tells your visitors that you’re a professional organization.

4. HTTPS slows down the websites

This is a very important point and will try to understand in detail. Let’s divide it into two parts.

Server Performance

Many people believe that SSL takes a lot of CPU time. Actually there is no extra overhead of HTTPS on infrastructure. Of course there has to be some network overhead because of the negotiation phase (TLS handshake), but it is very very small.

Let’s visit the site https://istlsfastyet.com/ for more information. Although it is self explanatory site and have a good content, notice one of the quote from a Google employee Adam Langley’s observation mentioning no significant overload on infrastructure.  It was way back in 2010 and we have moved long way since then. It is 2020!

Image from https://istlsfastyet.com
Client Side

Let’s try HTTP vs HTTPS image loading Test using the site – http://www.httpvshttps.com. It shows HTTPS is significantly faster than HTTP. Surprised?

HTTP vs HTTPS

Some people has this misconception that HTTPS adds to network overhead due to this additional negotiation and it must be slow. But then why it is faster?

This is because of the protocol being used. Unsecured sites use http/1.1 protocol whereas secured sites use h2 (https over http2). Http2 allows for binary stream of content so we can get a lot more data coming in parallel compared to http/1.1. Now browsers support HTTP2 only over TLS (HTTPS) and that’s why get better speed with HTTPS.

5. SSL is the silver bullet!

It is a common misconception that having a SSL certificate entirely secures the website and it is an ultimate security solution. It is not correct and SSL certificate does not prevent attackers exploiting other vulnerabilities in your web application and code behind.

HTTPS and SSL certificates ensures a secure channel through which data is transmitted securely. It prevents any man-in-the-middle intercepting the data in transit. It doesn’t prevent end of the tunnel, database at the server or browser at the client.

Benefits of having HTTPS/SSL

Now we have talked about the misconceptions about implementing HTTPS. We can actually call them perceived barriers or myths as all of these traditionally though barriers no more exist today!

Although primary benefit of HTTPS is the security and it protects users from man-in-middle attacks, there are many other benefits for a website owner. Let’s look at some more benefits of HTTPS one by one.

  • Improved Security – This is the basic motive of HTTPS and we all agree on this by now.
  • Trust – The ‘secured’ keyword or green padlock which appears on a secured site gives visitors a peace of mind and builds a trust relationship thinking your website is trustworthy.
  • Improves Search Rankings – Google will penalize your website in search rankings if it is not served over HTTPS.
  • Speed – We just studied that high performing protocol http2 can only be used for HTTPS.
  • New Features – HTTPS is a basic requirement for many new browser features, e.g. Brotli compression.

Conclusion

HTTPS and SSL are very important piece of modern web working and building trust over the internet. Traditional myths and barriers are not present today, instead HTTPS adds many benefits to the overall web experience.

Thank you for reading, hope you enjoyed the post. Stay Safe, Stay Secure!

Similar Posts